Data Breach Rattles Card Issuers

Once again, credit card issuers across the country have begun to assess the impact of a significant card data security breach at a major card processor.

The processor that was breached, Atlanta-based Global Payments Inc, processes a wide variety of payments. The company did not identify how many retailers or clients that it serves, but calls itself “a leading provider of electronic transaction processing services for merchants, independent sales organizations, financial institutions, government agencies and multinational corporations.”

Global Payments also reported that it offers a comprehensive line of processing solutions for credit and debit cards, business-to-business purchasing cards, gift cards, electronic check conversion and check guarantee, verification and recovery including electronic check services, as well as terminal management.

The company announced on March 30 that it had uncovered the breach early in the month and that it “immediately engaged external experts in information technology forensics and contacted federal law enforcement.” It added that it “promptly notified appropriate industry parties to allow them to minimize potential cardholder impact.”

On April 2, the company announced that 1.5 million accounts were compromised but called the breach “contained.”

“We are making rapid progress toward bringing this issue to a close,” said Global Payments Chairman/CEO Paul R. Garcia. “Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands.”

The company said the investigation to date has revealed that card data may have been stolen, but that cardholder names, addresses and Social Security numbers were not obtained by the criminals.

Media reports last week said Visa had dropped Global Payments from the list of compliant service providers due to the breach, but neither Visa nor the company has commented further.

The Global Payments breach is the biggest one since January 2009 when Heartland Payments Systems revealed a 2008 breach that compromised millions of card accounts. Most of the members of the gang that had been involved in that breach and several other significant card thefts were eventually caught and leaders of the crime organization are serving sentences in federal prison.

Heartland paid tens of millions of dollars in fines to the major card brands and in negotiated payments to card issuers for part of their losses, though the card processor largely avoided any further legal damages in lawsuits from issuers, including credit unions.

The only bright spot in this breach rests in the observation that the 1.5 million estimated compromised accounts have not yielded much theft. Industry sources speculated on background that this might be because the current thieves may lack the sophisticated and efficient means the previous gang used for turning the stolen card data into cash.

PSCU, a payments CUSO, acknowledged that it had been alerted to the breach but added that, as of March 30, it had not had many incidents of fraud from the compromised cards that were issued by credit unions.

That did not stop insurers or credit union card processors from sending out instructions on how credit unions could limit their card losses from the breach.

CUNA Mutual advised credit unions with card accounts identified as potentially compromised and are due to expire within 180 days to consider moving the expiration date forward and reissuing the cards.

Other steps that the insurer recommended included making sure that credit unions are using name matching to catch instances of where thieves may have changed names on cards. It also suggested notifying cardholders that they may want to place an initial fraud alert with the credit bureaus to limit their risk of identity theft.

The Members Group, a payments CUSO associated with the Iowa Credit Union League, advised CUs to avoid taking fraud prevention steps that may not fit their own card-issuing situations or patterns.

“The best prevention strategies will be different for every issuer,” said Karen Postma, senior risk manager for cards at TMG. It “will depend greatly on where and how the fraudulent activity occurs.” For some credit unions, a reissue may be the best approach to minimizing losses. For others, Postma said, “tighter rule-setting and diligent monitoring will be sufficient.”

Postma, who has advised credit union card-issuers through breaches like the 2008 Heartland Payments System compromise, said it’s too early to predict the fallout from this particular breach. “We plan to be in close communication with each of our card-issuing clients for the next several months as the investigation into the breach continues. Credit unions should absolutely be proactive, however, monitoring their portfolios very closely to understand whether and to what extent they are being affected. If they determine they are being hit with high levels of fraudulent activity, more aggressive measures are likely necessary.”

Beyond the question of how individual credit unions handle their own card risks, this breach has raised questions again about the payment card industry data security standards that are supposed to be in place up and down the payments chain to prevent just this sort of breach from happening.

Industry security experts have always cautioned that being compliant with industry rules has never provided complete protection from data breaches and that the standards merely provided protection at a given point of time.

“The company noted that Visa had pulled its compliance certification for the payment card industry data security standard and that it would have to reapply,” noted Neil Roiter, research director at Corero Network Security. “But the point is that PCI DSS compliance in and of itself does not guarantee security or make credit card companies immune to being breached.

"Global Payments was clearly vulnerable and other processing companies likely are as well. They all need to review continuously the security policies, practices and technology controls they have in place, including but not limited to encryption, access controls and authentication,” he said. “Cyber criminals are evolving their attack techniques. Companies need to do the same. In addition, companies need to understand that no combination of security measures guarantee a breach won’t occur. It is critical, therefore, that if an attack is not stopped in its tracks, the company has the tools in place to quickly detect and mitigate it.”